Top Threat: Windows Security Center Spoof

PC Magazine reported about yet another serious hole in the SP2 security defenses, and I haven't seen it discussed here yet so I am going to quote the whole article to save folks a few steps. The only thing you won't have here are the illustrations referenced as Figures 1...x.

I believe I was a victim of the drag and drop vulnerability two weeks ago, which could also play into this one, which has to do with the WMI and Security Center. Plus, if, as I was, one is surfing as an administrator- you could be in serious trouble and mangled like me if someone exploits any of the known or purported holes in SP2 and gets in your PC with that kind of power.

Security Watch Special: Windows XP SP2 Security Center Spoofing Threat

Top Threat: Windows Security Center Spoof

Windows XP Service Pack 2 promises to raise the security bar for the sometimes beleaguered operating system. Unfortunately, one of the new features could be spoofed so that it reports misleading information about system security, or worse, lets a malicious program watch for an opportunity to do damage without being detected. The feature is the Windows Security Center (WSC), which displays the status ( (Figure 1) )of the key elements of your defenses: Firewall, Updates, and Antivirus. If your firewall has been disabled, or your antivirus is out of date, that news will display here. The information is stored in an internal database managed by the Windows Management Instrumentation (WMI) subsystem built into Windows.

Figure 1 SP2 Security Center

Based on an anonymous tip, we looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater in the wrong hands. Due to the nature of WMI, the WSC could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes.

According to Microsoft, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), an industry standard for accessing management information on a system. For Windows XP Service Pack 2, Microsoft added new fields or records to keep track of the Firewall and Antivirus information in the WMI database. Unfortunately, the WMI database is designed to be accessible via the WBEM API (application program interface) and is available to any program that wants to access the WMI. These programs can be desktop applications written in desktop- or web-based scripting or ActiveX modules.

This open door to the security status of a system can be exploited several ways. First, a malicious site could download a file (possibly with the drag and drop exploit discussed in our Windows updates and vulnerabilities section), which could run and access the WMI, monitoring the status of the firewall and antivirus protection.

Some existing malicious programs attack the antivirus or firewall directly, using techniques specific to the security product. These attacks are almost invariably blocked when security is turned on. The malicious program could wait until the security products are temporarily disabled before acting. However, to do that currently, they would have to monitor the products directly, which again would trigger alarms. But, a program just casually checking WMI may be ignored by security programs. When WMI reports that protection is off, the malicious program could permanently disable the security protection and remain undetected. Because the WMI database is not set to be a read-only file, the attacking program could simply change the disabled product's status to "up-to-date" and "enabled" to avoid suspicion. The WMI database and subsystem cares less what the actual state of the product is, only that it was told things are okay.

Beyond that, it is also possible to use WBEM API functions to add a firewall or antivirus listing that didn't previously exist. In our example, we used a reasonably simple script to add in fake antivirus and firewall product listings in the Windows Security Center. In both cases, we told WMI that they were up to date and enabled. ( Figure 2 ).
Figure 2. Faked Security Center entries

The WMI and WBEM interface has been well documented both on the Microsoft Developer's Network, and other places on the web. We were able to find some references to the namespace and objects that the Windows Security Center uses on the web, though no references to it being exploited, yet.

However, it's almost like Microsoft has given attackers the path, door and keys, Windows itself contains a test utility, WBEMTEST.EXE, that allows you to view, add and edit the values in the WMI. In addition, files associated with the utility provide the namespace, classes, and data types associated with the Windows Security Center, all in plain text. The danger in this utility is not that it can edit the WMI, but it lets a malicious developer learn the data and fields needed to do the spoof.

While we are not aware of any malware exploiting this, we think it will only be a matter of time. The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode.

When we contacted Microsoft for comment, a spokesperson said that the company was not aware of this issue, but would investigate. Read Microsoft Responds to see what they said.

 

ERROR: Link to article leads to missing page/ page not found error.

 

Hyperlink now fixed....Thanks nadirah

 

Thanks so much for fixing that- my goof-up and I didn't notice, wasn't online again until tonight...Cheers..

 

Do people actually use the windows security center? LOL

 

I think there are a bunch of folks who don't have a clue about their software and just leave it as is when installed, with all the insecure XP default settings. In fact, I'd bet MOST XP users!

 

It's essentially a "one-stop shopping" approach, I suppose ... I don't bother with it myself since the status info and settings-changes are also (and more conveniently, frankly) available elsewhere on your system.

 

You bet? I'm pretty sure most PC users just USE their system without knowing anything about these settings.
Installing all kinds of software they find on the internet to try it out without even thinking about how it can mess up their system. Firewall, antivirus & others - they never heard of it or they don't know how to configure it, set it up.
Just my experience though.

 

Most XP home users (and I bet Pro users) run as admin. Try to create another account and see how much effort that takes
As one collegue of mine said: "there's no secret or confential data on my home pc, so who would want to access my pc". Yep, lots of missionary work to be done.